Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

[infowarrior] - Message To Microsoft: Only The Truth Shall Set You Free

From: InfoSec News <isn () c4i org>
Date: Mon, 18 Feb 2002 00:33:11 -0600 (CST)
---------- Forwarded message ----------
Date: Sat, 16 Feb 2002 10:09:22 -0500
From: Richard Forno <rforno () infowarrior org>
To: rforno () infowarrior org
Subject: [infowarrior] - Message To Microsoft: Only The Truth Shall Set You Free 


Message To Microsoft: Only The Truth Shall Set You Free
Richard Forno
(c) 2002. Permission granted to reproduce in whole or in part, with
appropriate credit.

News Flash!  Judge Kollar-Kotelly has granted the states access to
Microsoft Windows source code as part of this phase of the anti-trust
ruling. Of course, the software giant is against this action, and we
can only hope her decision stands.

If so, not only will this level the legal playing field in the case,
as Kollar-Kotelly says (by allowing the states to verify Microsoft's
claims about the product) but more importantly, allow IT professionals
to see exactly how secure (or insecure) Windows really is, something
that many security professionals have been calling for a long time as
the ONLY true way to verify and validate Microsoft's claims about the
stability, security, and reliability of its pervasive Windows
operating system. In Microsoft's defense, releasing the code will go a
long way in curtailing the growing negative press and public sentiment
about the company and its products, and could be an action that
actually generates business for them over the long-term.

Considering that nobody outside of Redmond knows what evil lurks in
the millions of lines of code compromising Windows XP, by granting
external access to Windows source, Kollar-Kotelly has established the
basis for what some would call the "ultimate vulnerability disclosure"
- namely, finally discovering the truth about Windows product's
features, both documented and undocumented, that are the scourge of
the IT world and subject of most of the IT-security news stories over
the past five years.

This is a long-overdue action, and I pray the decision stands.
(Actually, one could argue that this is the penultimate example of
what "responsible vulnerability disclosure" is all about...)

Releasing the Windows source code to the states (parties outside of
Microsoft with (hopefully) non-profit interests in justice and not
market dominance) would be one government-initiated action that
actually improves the security and assurance of America's critical
infrastructures and (by extension) the world's IT sector. This would
be a real, tangible, action that actually increases security, unlike
the FAA prohibitions on carrying Swiss knives, knitting needles, or
razors onboard a civil airliner.

As such, given that Windows runs some pretty significant, critical
systems in our financial, utilities, medical, and defense sectors,
releasing the source code for external evaluation is not just a
'nice-to-have' but a MUST-HAVE as we move towards effectively
increasing the security of America's critical infrastructures.....for
Microsoft, it's the responsible thing to do, given the company's
much-ballyhooed 'renewed focus' on security, as outlined in the
February 2002 Gates Declaration and its current month-long "security
stand-down". (  See "The Gates Declaration and Microsoft Security Day
at http://www.infowarrior.org/articles/2002-02.html).

If the company is truly committed to paying product security anything
more than PR lip-service (which many security professionals believe is
all they are doing,) Microsoft will embrace Kollar-Kotelly's decision
as a significant step in improving the security of - and the public's
trust in - the company and its products. By releasing the Windows
source code, Microsoft can prove to the world it has nothing to hide
and that it can be trusted as a purveyor of mission-critical software.
This likely would lead to a restored public image and confidence in
the company, quite possibly leading to increased business and sales.  
So it's a win-win for Microsoft, assuming it ever gets over its
corporate hubris and realizes the potential long-term benefits it
could reap by simply and accurately complying with court orders.


From a business perspective, Microsoft would be wise to do the mature

thing - quietly take its court-ordered medicine (ignoring how bad it
might taste in the short-term) and realize that it stands a good
chance of getting much better in the long-term.

Thank you, Judge Kollar-Kotelly, for taking a pro-consumer and
pro-security position with your ruling, one that - assuming it stands
and is correctly acted upon in the best interests of the country -
will be one of the few government actions actually (and effectively)
improving the security of America's critical infrastructures.

It would be a public service on an unprecedented scale.

Richard Forno
infowarrior.org

-------------------------
Further Reading:

Judge grants States access to Windows source
John Lettice (The Register)
http://www.theregister.co.uk/content/4/24095.html

Analysis of the Gates Declaration & Microsoft Security Day
http://www.infowarrior.org/articles/2002-02.html

Who Needs Hackers? We've Got Microsoft!
http://www.infowarrior.org/articles/2001-15.html

Counterpane CRYPTO-GRAM 02-15-01
http://www.counterpane.com/crypto-gram-0202.html

The Microsoft-English Dictionary 1.5
http://www.infowarrior.org/articles/2001-04.html


--



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: